[Freeipa-users] Initial login on RHEL 6 fails
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Mon Jan 9 22:42:52 UTC 2012
On 01/09/2012 01:31 PM, Simo Sorce wrote:
> On Mon, 2012-01-09 at 12:28 -0900, Erinn Looney-Triggs wrote:
>>
> [snip]
>
>
> Looks like the expiration is not updated, I suspect the password change
> actually failed.
>
>> A couple of additional notes that may be important. The system to
>> which
>> I am attempting to authenticate lives in private IP space whereas the
>> IPA server is on a public IP.
>
> Does it mean the client system is NATed wrt IPA ?
That is correct.
>
> I think that could make kpasswd fail. I need to check if this has been
> addressed in MIT libraries but IIRC it is a known limitation so far.
> The kpasswd binary I think specifies the IP address in mk_priv and fails
> verification from behind a NAT.
>
>> Second HBAC is in effect on the host so
>> the user must be a member of the desktop group in order to
>> authenticate.
>
> HBAC is not involved in any way with password changes, so I am confident
> you can exclude any correlation.
>
>> These may not have any bearing, or they may who knows.
>
> Yes the NAT part may be your issue.
Yeah my kerb foo is a little rusty but the whole NAT/kerb thing causing
issues does ring a bell with me too. I will continue to research.
Thanks for the info,
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120109/d30e7781/attachment.sig>
More information about the Freeipa-users
mailing list